(LiveHacking.Com) – Oracle has released an update to Java 7 to address two Critical vulnerabilities. A few days ago, reports emerged about another new vulnerability in Java that was being exploited in the wild. The vulnerability allowed a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. An exploit for the vulnerability was quickly added to exploit toolkits like the Blackhole Exploit Kit (BHEK) and the Cool Exploit Kit (CEK).
These vulnerabilities, known as CVE-2013-0422 and CVE-2012-3174, do not affect Java on servers, Java desktop applications, or embedded Java, however Java running in a web browser is affected.
To exploit the vulnerability, an unsuspecting user is tricked into visiting a website which has been designed specifically to infect their PC with malware. Once at the website the vulnerability allows for the execution of a malicious applet within the browser which then results in the execution arbitrary code (to install malware).
As part of Java 7 update 11, Oracle is switching the Java security settings to “high” by default. This means that users need to expressly allow the execution of any applets, which are either unsigned or are self-signed, in the browser. The idea is that any unsuspecting users visiting malicious web sites will be told before an applet is run.
Since update 10 of Java 7, it is possible to disable Java content in web browsers through the Java control panel applet. To do this de-select the “Enable Java content in the browser” check-box in the Java Control Panel (under the Security tab).
However questions are now being raised about the long-term viability of Java support in web browsers. Adam Gowdiak, the founder and CEO of Security Explorations – who has found several critical vulnerabilities in Java, told Reuters that “”We don’t dare to tell users that it’s safe to enable Java again.”
“The safest thing to do at this point is just assume that Java is always going to be vulnerable. Folks don’t really need Java on their desktop,” said HD Moore, chief security officer with Rapid7 – the custodians of Metasploit.